Sri Lanka’s law enforcement challenges!

Sri Lanka’s law enforcement challenges:

Monitoring and detecting cyber crime

Continued from Thursday

Excerpts of the plenary presentation made by Deputy Inspector General of Police Asoka Wijetilleka at the Annual Scientific Sessions of the Medico Legal Society of Sri Lanka at the Sri Lanka Foundation Institute (SLFI)

Given the unrestricted number of free web sites, as you are well aware of the Internet is undeniably open to exploitation. Known as cyber crimes, these activities involve the use of computers, the Internet, cyberspace and the World Wide Web.

There also exist other problems that contribute to under-reporting. The lack of tangible, conspicuous evidence is the key factor in the underreporting of computer crime. Complicating the invisibility problem, most victims of computer crime and intrusions fail to report their victimization, due to different reasons, namely for fear of negative publicity, potential loss of future revenues or could be due to mistrust thinking police cannot handle such high tech crimes and stopping the intrusion, minimizing the losses and avoiding publicity at all costs. This situation needs to be addressed and corrected. These impediments needs to be well addressed and something must be done to overcome these problems.

Awareness is important, and any matter should be reported at once. More importantly, users must try and save any electronic information trail on their computers. That’s all one can do, then, until laws become more stringent or technology more advanced.

Monitoring process
Under the current scheme pertaining to the conduct of criminal investigation, police have to await either the receipt of information or a formal complaint relating to the commission of a cyber crime for the purpose of commencing the conduct of a criminal investigation.

However, in view of the very nature of the cyber crime it is my view to effectively combat cyber crime, it is necessary for the ‘Investigators’ to adopt a “Proactive” approach to law enforcement. One way in which such “proactivity” could be achieved is by establishing a legally recognized “surveillance and monitoring system” of the Internet and other associated data transferring systems.

Through such an effective surveillance and monitoring system it may be possible to effectively seize the inflow of harmful viruses and other material, out flow of prohibited and offensive material such as pornographic material linked to imagery (photos and videos), acts of terrorism, attempts to gain unlawful or unauthorized access to intranets and computer systems containing sensitive and confidential material. An efficient internet monitoring and surveillance system can be used not only for the early detection of crime but it can also be used for the prevention of cyber crime.

Therefore, the establishment of a National Policy Formulation Committee for the setting up of an Internet surveillance and monitoring unit for the purpose of preventing the commission of cyber crime and the early detection of the commission of such crimes is an essential step that we need to consider at this juncture. Based on the formulation of national policy due consideration must be given to enact legislation for operational purposes.

Similarly, it is worth to examine the possibility of reducing the number of service provider gateways to one “Central Gateway” to effectively monitor the inflows and outflows of material through Internet connectivity. This exercise will make it easy for the purpose of proper monitoring mechanism with less hassle and act as a sufficient control measure of high monitoring capability.

Notwithstanding other important dimensions in developing investigative capabilities and addressing issues relevant to law deficiencies, the Police need the public in their role as a supportive body.

Prevention is always better than cure. It is always better to take certain precautions while operating the net. Anybody should make them his or her part of cyber life.

As one of the major points of vulnerability is people, defensive information warfare also has an educational component. Security awareness and training programs can serve to inform employees about their organization’s information security policy, to sensitize them to risks and potential losses, and to train them in the use of security practices and technologies.

Cyberspace security
These programs can provide training in the areas of physical and personnel security as well as cyberspace security. Employees can be made aware of social engineering tactics and how to detect and avoid them. System administrators can be trained in information security so that they can properly configure and monitor systems. They and other staff members can be instructed in their responsibilities regarding information security practices and incidents.

Laws to enforce property rights work only when property owners take reasonable steps to protect their property in the first place. As one observer has noted, if home owners failed to buy locks for their front doors, should Police solve the problem by passing more laws or deploying more policemen. Even where laws are adequate, firms dependent on the network must make their own information and systems secure.

Extending the rule of law into cyberspace is a critical step to create a trustworthy environment for people and businesses.

Because that extension remains a work in progress, organizations today must first and foremost defend their own systems and information from attack, be it from outsiders or from within. They may rely only secondarily on the deterrence that effective law enforcement can provide.

To provide this self-protection, organizations should focus on implementing cyber security plans addressing people, process, and technology issues. Organizations need to commit the resources to educate employees on security practices, develop thorough plans for the handling of sensitive data, records and transactions, and incorporate robust security technology - such as firewalls, anti-virus software, intrusion detection tools, and authentication services - throughout the organization’s computer systems.

These system protection tools - the software and hardware for defending information systems - are of course expensive and complex to operate. To avoid hassles and expense, system manufacturers and system operators routinely leave security features ‘turned off’, needlessly increasing the vulnerability of the information on the systems. Bugs and security holes with known fixes are routinely left uncorrected. Further, no acceptable standards exist to benchmark the quality of the tools, and no accepted methodology exists for organizations to determine how much investment in security is enough.

The inability to quantify the costs and benefits of information security investments leave security managers at a disadvantage when competing for organizational resources. Much work remains to improve management and technical solutions for information protection.

We have been aware of the vulnerabilities of our computer networks for some time. We must ‘harden’ our critical infrastructures to ensure our security and our safety. This is where encryption technology comes in. Encryption can protect the security of our computer information and networks.

Encryption
Encryption is the key to protecting the privacy of our online communications and electronic records. Strong encryption serves as a crime prevention shield to stop hackers, industrial spies and thieves from snooping into pirate computer files and stealing valuable proprietary information. Unfortunately, we still have a long way to go relevant to an encryption policy to reflect that this technology is a significant crime and terrorism prevention tool.

We need to have a national computer policy in relation to encryption and allied matters connected thereto, to safe guard our critical infra structures. Organization for Economic Cooperation and Development (OECD) way back in the year 1990 created a group of experts and they prepared guidelines relevant to apply to all information systems in the public and private sector, subject to national laws. They articulate nine basic principles:

1. Accountability - the responsibilities and accountability of owners, providers, and users of information systems and other parties concerned with the security of information systems should be explicit.

2. Awareness - To foster confidence in information systems, owners, providers and users of information systems and other parties should readily be able, consistent with maintaining security, to gain appropriate knowledge of and be informed about the existence and general extent of measures, practices and procedures for the security of information systems.

3. Ethics - Information systems and the security of information systems should be provided and used in such a manner that the rights and legitimate interests of others are respected.

4. Multidisciplinary - Measures, practices, and procedures for the security of information systems should take account of and address all relevant considerations and viewpoints, including technical, administrative, organizational, operational, commercial educational and legal.

5. Proportionality - Security levels, costs measures, practices and procedures should be appropriate and proportionate to the value of and degree of reliance on the information systems and to the severity, probability, and extent of potential harm, as the requirements for security vary depending upon the particular information systems.

6. Integration - Measures, practices, and procedures for the security of information systems should be coordinated and integrated with each other and with other measures, practices, and procedures of the organization so as to create a coherent system of security.

7. Timeliness - Public and private parties, at both national and international levels, should act in a timely coordinated manner to prevent and to respond to breaches of security of information systems.

8. Reassessment - The Security of information systems should be reassessed periodically, as information systems and the requirements for their security vary over time.

9. Democracy - The security of information systems should be compatible with the legitimate use and flow of data and information in a democratic society.

These guidelines, to my mind, most suited even for the present and addressed several areas of implementation, including policy development, education and training, exchange of information related to implementation of the guidelines, enforcement and redress related to implementation of the guidelines, and information security safeguards, and cooperation between and among governments and the private sector for purposes of implementation and harmonization of measures, practices, and procedures for information systems security.

Inadequate law
On the other hand the Conventional Criminal Law of Sri Lanka, which is found in the Penal Code was found inadequate to effectively deal with the type of crimes that could be committed with the aid of advanced technology and hence several laws were inacted by the Parliament to, inter-alia, deal with offences committed both with the aid of advanced technology as well as against or in relation with advanced technological equipment. These laws are:

1. Prevention of Money Laundering Act No. 05 of 2006

2. Computer Crimes Act No. 24 of 2007

3. Payment Device Fraud Act No. 30 of 2006

4. Electronic Transaction Act No. 19 of 2006

Whilst these laws primarily provide for the stipulation of offences and punishments with regard to offences committed with the aid of, against and in relation to advanced technology, they also enable the investigation and prosecution of offences falling into this category.

The Reporting of Financial Transaction Act No. 16 of 2006 also assists in the detection and investigation of these crimes and evidence (Spl. Provisions) Act of 1995 enables evidence connected with advanced technology to be admitted in evidence in Court. To a greater extent these laws have identified the offences, punishments, and though not comprehensive to some extent, the admissibility criteria relevant to evidence.

Legislative framework
However, for effective and comprehensive law enforcement, including in particular the conduct of Criminal Investigations, there has to necessarily be a proper and comprehensive legislative framework for operational purpose. Be it in respect of computer crimes of offences into any other type of criminal offences, all investigations are regulated by Chapter XI of the Code of Criminal Procedure Act.

It would be seen that, provisions of this Chapter are not comprehensive and do not cover all aspects of criminal investigations leading upto the institution of criminal proceedings relevant to crimes committed both with the aid of advanced technology as well as against or in relation with advanced technological equipment.

In the circumstances, there is a compelling need to review the provisions of this Chapter (Sec. 110 to 125) and propose to the government necessary amendments to be introduced.

To be continued
DAILYNEWS.LK